05:41:19 RRSAgent has joined #web-bluetooth 05:41:19 logging to http://www.w3.org/2015/10/28-web-bluetooth-irc 05:41:32 rrsagent, set logs world-visible 05:41:46 scribe: tobie 05:41:55 ScribeNick: tobie 05:41:59 npdoty_ has joined #web-bluetooth 05:42:08 meeting: Device APIs and Privacy/Permissions 05:42:15 yukio has joined #web-bluetooth 05:42:20 chair: jyasskin 05:42:20 rrsagent, make logs public 05:42:27 chiba-shu has joined #web-bluetooth 05:42:34 nsakai has joined #web-bluetooth 05:42:39 agenda: https://www.w3.org/wiki/TPAC/2015/SessionIdeas#Device_APIs_and_Privacy.2FPermissions 05:42:53 nori has joined #web-bluetooth 05:42:54 rrsagent, generate minutes 05:42:54 I have made the request to generate http://www.w3.org/2015/10/28-web-bluetooth-minutes.html anssik 05:43:03 Present+ Anssi_Kostiainen 05:43:06 present+ npdoty 05:43:07 Present+ Tobie_Langel 05:43:46 jyasskin: explore what's difficult about device APIs, 05:43:56 ... why permissions are hard, 05:44:11 ryuichi has joined #web-bluetooth 05:44:28 dsinger has joined #web-bluetooth 05:44:35 present+ dsinger 05:44:40 dsinger: I have a proposal 05:44:42 mishizaw has joined #web-bluetooth 05:44:49 s/proposal/idea/ 05:44:56 s/a/an/ 05:45:05 mkaki_ has joined #web-bluetooth 05:45:07 saki has joined #web-bluetooth 05:45:09 nikos has joined #web-bluetooth 05:45:16 skim13 has joined #web-bluetooth 05:45:29 Claes has joined #web-bluetooth 05:45:29 aalfar: security too? 05:46:00 jyasskin: list of scary APIs: 05:46:09 ... Bluetooth 05:46:19 ... NFC 05:46:25 ... USB 05:46:32 ... GPIO 05:46:38 ... I2C 05:46:58 ... Automotive 05:47:03 ... Actuators 05:47:11 urata has joined #web-bluetooth 05:47:37 ... Battery 05:47:49 ... Camera/Mic 05:48:02 ... Ambient Light 05:48:07 ... mDNS 05:48:18 ... Screencapture 05:48:22 ... Health 05:48:51 ... * fingerprinting 05:49:44 jyasskin: one way of mitigating the problem, only expose part of the API 05:50:26 ... we don't know the permission story for scanning, acting as a server, doing that in the background, BT classic protocol, etc. 05:50:44 ... for NFC: just the foreground use case. (Page visibility). 05:51:05 ... there's useful things beyond that but permissioning story hard. 05:51:33 q+ on how NFC clarifies what you're doing 05:52:11 anssik: drag and drop is a nice example: parts the user understand (eg the picture) 05:52:19 ... part the user doesn't: the metadata 05:52:48 jyasskin: security issue too, as there's no origin model for things like bluetooth 05:53:02 ... FIDO is looking into that? 05:53:25 FIDO requires knowing the origin, because it expects devices to return different values based on the origin 05:53:57 mathieucitrix has joined #web-bluetooth 05:54:00 jmr has joined #web-bluetooth 05:55:03 Claes: are you considering stornger security models beyond permission/https? 05:55:13 jyasskin: how would we do that? 05:55:35 dom has joined #web-bluetooth 05:55:45 ... are you suggesting the device would be aware of certain origins it wants to talk to? 05:55:59 [a survey of various permission models used in current Web APIs I conducted 18 months ago http://dontcallmedom.github.io/web-permissions-req/matrix.html ] 05:56:32 ... we talked about a CSP-based solution but that kind of fell off the radar 05:57:21 dom: limitation of CSP: since it can be put in the markup, if there's an XSS then there are issues. 05:57:37 jyasskin: there feedback on this in Media Capture 05:58:03 ... you can require certain CSP constraints (e.g. not in page) 05:58:30 ack npdoty_ 05:58:30 npdoty_, you wanted to comment on how NFC clarifies what you're doing 05:58:39 q+ mathieucitrix 05:58:49 npdoty_: how can you explain this to the user? 05:58:56 lyokato has joined #web-bluetooth 05:59:09 ... npdoty_ is great because there's physical movements involved 05:59:24 s/npdoty_// 05:59:43 ... are there other similar solutions like this? 05:59:56 anssi: goes back to my previous drag and drop example 06:00:21 jyasskin: nextstep ability, upgrade from NFC to bluetooth. How do we explain that upgrade? 06:00:27 gao has joined #web-bluetooth 06:00:34 dsinger: have you used the app bump? 06:01:33 yukio has left #web-bluetooth 06:02:13 q? 06:02:19 q- mathieucitrix 06:02:44 jyasskin: with NFC's security model you know which device you're giving access to, but you don't know their capabilities. 06:03:10 npdoty_: we should be thinking about that in terms of multiple steps. 06:03:21 anssik: I like that, who and what. 06:03:41 ... who am I talking with, what am I transferring? 06:03:55 jyasskin: what is the most important + the most difficult bit 06:04:24 jyasskin: with bluetooth, the browser doesn't know what's being transferred 06:05:12 npdoty_: is there metadata around bluetooth metadata? 06:05:21 https://developer.bluetooth.org/gatt/services/Pages/ServicesHome.aspx 06:05:29 s/bluetooth metadata/bluetooth capabilities and kinds/ 06:05:29 Standardized protocols ^ 06:05:40 jyasskin: in general no, there are some standards around keyboards in the list above. 06:06:48 npdoty_: usability issue in BT 06:07:10 opaque names are a problem with BT pairing already, just with native OS 06:07:25 jyasskin: we'd like to build a registry of bluetooth identifiers to user-readable names 06:07:57 makes it hard to know which device you're actually connecting, as well as what it's going to do 06:08:21 ... this has issues too, obviously, eg: innocuous name 06:09:22 wow, this is a crazy list, including "Continuous Glucose Monitoring" and "Next DST Change Service" 06:10:13 Claes: xxx 06:11:21 dom: can you use this bluetooth connection to break the same origin policy? 06:11:35 dom: e.g bluetooth device fetching data over http breaks SOP 06:12:07 jyasskin: even if you blacklist this, you can still get device that do it in non-standard way. 06:12:28 jyasskin: at some point we can't prevent users from shooting themselves in the foot 06:13:31 npdoty_: fringerprinting users using bluetooth ID 06:13:56 jyasskin: we're not exposing standard ID, but won't block non standard ones 06:14:04 jyasskin: we can blacklist the standard device identifier fields 06:14:50 Topic: Health Data Idea 06:15:06 dsinger: what's my reaction to health data sensor? 06:15:18 ... usual model is we ask the user 06:15:41 ... problem: the list is huge 06:15:48 ... the user isn't aware of the data policy. 06:16:04 yukio has joined #web-bluetooth 06:16:20 ... idea: a digital file on the server that has these three data points: 06:16:24 q+ 06:16:44 1. which health sensors would be required 06:16:58 2. which policies the website would abide by? 06:17:46 3. for how long would the request last? 06:18:28 Makes it possible to turn privacy violation into promise violation. 06:18:52 jyasskin: seems related to p3p 06:20:20 dsinger: basic idea is you can avoid asking the user in most cases. 06:20:47 dsinger: provide URLs, rather than full machine-readable policies (a la P3P) 06:21:16 My questions was that if the IPv6 profile (IPSP) is used then the device is an IPv6 device, standard protocols and security mechanisms could be used and the resources of the device could be exposed through an internal web server, i.e. no specific Web Bluetooth API would be needed? Jeffrey answered that this could be done for new devices but for existing devices not running IPSP this API is needed. 06:21:32 s/for how long would the request last?/time lapse by which the server plans to abide by these policies/ 06:21:58 -> http://dev.w3.org/2009/dap/privacy-rulesets/ Privacy Rulesets editors draft, back from 2010 06:22:18 dsinger: current model by which we get user consent is broken, we ask them at the worst possible moment. 06:22:58 dsinger: UA will need to cache this data + enforce it. 06:23:49 dom: developers want a way to express what they need the data for, but UA don;t won't devs to meesage withing trusted chrome. 06:24:02 ... so it seems this would somehow solve this. 06:24:36 mishizaw has joined #web-bluetooth 06:25:38 jyasskin: plan for bluetooth follows extensible manifesto 06:26:19 ... first low level, then use that to create higher-level APIs such as health 06:26:40 q? 06:26:43 ack tobie 06:26:58 tobie: similar to sensors that we distinguish between high-level and low-level 06:27:08 gao has joined #web-bluetooth 06:27:16 ... incentives for developers to use higher-level sensors unless they really really need access to the low-level 06:27:31 ... gyroscope more incentive than just the step count 06:27:39 s/incentive/invasive/ 06:27:58 anssik: data minimization, the least information that gets the job done 06:29:13 dsinger: similarly, better to ask for permission about the type of data, rather than the particular mechanism. like "location" rather than "GPS" 06:29:33 miya has joined #web-bluetooth 06:29:42 jyasskin: bluetooth prompt is going to be quite invasive 06:29:55 jyasskin: you get two prompts 06:30:36 ... we have to find a different story for innocuous bluetooth devices (e.g. toys in happy meals). 06:30:55 I wonder if it's possible for a bluetooth device to certify that it is "innocuous" 06:31:30 dom: broader question: ongoing conversation over the years, how do we solve this in a more general way? 06:31:30 "I am a toy, with no high-granularity sensors or unique identifiers. Anyone can access me, without destruction of property or privacy invasion." 06:31:36 gao_ has joined #web-bluetooth 06:32:04 jyasskin: we want to ship something and use this to inform design 06:32:05 when you say "certify", do you mean with guarantees that it doesn't lie? 06:32:14 ^npdoty 06:32:45 dom, I actually think it could partly be purely self-certified. if it turns out you're wrong and someone destroys your customer's device, well, it was your fault. (maybe privacy is harder.) 06:32:47 ... we're shipping this using XXX 06:33:39 but the bluetooth device could be part of the attack; e.g. "I'm an innocuous toy, but in fact am collecting geolocation data and sending it to my owner" 06:34:20 dom, yeah, it makes more sense for the actuator/device-destruction problem 06:35:19 YYY: general pattern for permission, as you need that for certain cases (e.g. notification, push, etc.) 06:35:37 zkis has joined #web-bluetooth 06:36:36 anssik: implementations could improve permission revoking 06:36:53 ... it should be as easy to revoke permission as it is to grant them 06:37:18 jyasskin: the default for new permissions is secure origin 06:37:55 rrsagent, please draft the minutes 06:37:55 I have made the request to generate http://www.w3.org/2015/10/28-web-bluetooth-minutes.html npdoty_ 06:38:04 s/YYY/Shijun Sun/ 06:38:14 rrsagent, please draft the minutes 06:38:14 I have made the request to generate http://www.w3.org/2015/10/28-web-bluetooth-minutes.html npdoty_ 06:40:41 ShaneM has joined #web-bluetooth 06:44:28 skim13 has joined #web-bluetooth 06:46:16 zkis has joined #web-bluetooth 06:50:14 RRSagent, draft minutes 06:50:14 I have made the request to generate http://www.w3.org/2015/10/28-web-bluetooth-minutes.html wydong_CM 06:52:16 ShaneM has joined #web-bluetooth 07:03:04 mishizaw has joined #web-bluetooth 07:05:42 jyasskin has joined #web-bluetooth 07:08:51 wydong_CM has left #web-bluetooth 07:08:57 skim13 has left #web-bluetooth 07:12:40 ShaneM has joined #web-bluetooth 07:23:17 dsinger has joined #web-bluetooth 07:23:21 dsinger has left #web-bluetooth 07:57:38 mishizaw has joined #web-bluetooth 08:09:07 mishizaw has joined #web-bluetooth 08:15:56 mishizaw has joined #web-bluetooth 08:22:41 ShaneM has joined #web-bluetooth 08:32:05 npdoty has joined #web-bluetooth 08:53:40 Zakim has left #web-bluetooth 11:42:19 zkis has joined #web-bluetooth 12:02:53 zkis has joined #web-bluetooth 12:10:14 npdoty has joined #web-bluetooth 12:35:47 jyasskin has joined #web-bluetooth 12:36:50 ShaneM has joined #web-bluetooth 12:57:31 jyasskin_ has joined #web-bluetooth 13:24:45 npdoty has joined #web-bluetooth 14:02:18 mishizaw has joined #web-bluetooth 14:30:30 mishizaw has joined #web-bluetooth 15:31:40 mishizaw has joined #web-bluetooth 15:42:21 zkis has joined #web-bluetooth 17:05:38 mishizaw has joined #web-bluetooth 17:21:55 npdoty has joined #web-bluetooth 18:06:41 mishizaw has joined #web-bluetooth 18:06:49 zkis has joined #web-bluetooth 18:36:09 zkis has joined #web-bluetooth 19:07:37 mishizaw has joined #web-bluetooth 19:46:38 npdoty has joined #web-bluetooth 21:09:20 mishizaw has joined #web-bluetooth 21:53:06 npdoty has joined #web-bluetooth 22:01:09 jyasskin has joined #web-bluetooth 22:31:35 mishizaw has joined #web-bluetooth 23:15:07 jungkees has joined #web-bluetooth 23:24:23 ShaneM has joined #web-bluetooth 23:25:43 npdoty has left #web-bluetooth 23:26:53 anssik has joined #web-bluetooth